How to best interpret blocked URL events for malware and C2

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to best interpret blocked URL events for malware and C2

L1 Bithead

We recently started issuing a daily report from our PA-5220s detailing which hosts on our network were blocked from visiting certain URL categories of interest to us (malware, phishing, C2, ransomware) during the previous calendar day. I am the person on our team who scans those reports in the morning and decides which events to investigate.

 

My initial reaction has been to treat the host as potentially infected when I see that it was blocked many times from visiting a malware URL, but in the majority of cases so far we were unable to find any evidence of malware on the computer after running a malware scan and investigating installed apps and browser extensions. Most of the time, those hosts only appear once or sporadically on the reports. I've learned to watch the pattern for a host over time instead of jumping on a host immediately, since that has been a more reliable indicator so far.

 

My leading hypothesis right now to explain the reports is that a user will visit a website that either is on the Palo Alto block list or attempts to load third-party content from offending domains. I'm curious whether that interpretation aligns with what others have seen in your own environments.

 

My second hypothesis, maybe more like a question, concerns how Palo Alto manages their block lists for URLs. Does anyone know the criteria Palo Alto uses to add a URL to the malware block list? Does anyone know the criteria Palo Alto uses to remove or otherwise expire a URL from a block list? I'm wondering whether some of these URLs were dangerous in the past but have since been remediated. Some of the domains I see blocked appear to be legitimate--maybe not of the highest reputation but at least they seem to be serving up real content. There's a possibility that all that content is a clever ruse, but it makes me wonder.

 

I appreciate any advice the community can share. I want to exercise due diligence in investigating these blocked URL alerts, but presently it feels like I'm spinning my wheels half the time looking for an infected device when perhaps all that happened was someone browsed a sketchy website on their lunch break.

 

Thanks, everyone!

1 accepted solution

Accepted Solutions

L6 Presenter

On our side, yes the overwhelming majority of what we see flagged as malware URLs end up being sketchy ads (and ad tracker apps on personal smartphones), redirects on other websites, or what where most likely compromised websites at some point (i.e. personal blogs/etc. running Wordpress with questionable maintenance). I am not aware of any explicit criteria PaloAlto publishes for determining what is/is not a malware URL, most are just based on "Palo Alto and third party researchers". They do say that discovered malware URLs/sites must remain benign for a minimum of 90 days before being changed to low-risk category or removed from the database.

View solution in original post

2 REPLIES 2

L6 Presenter

On our side, yes the overwhelming majority of what we see flagged as malware URLs end up being sketchy ads (and ad tracker apps on personal smartphones), redirects on other websites, or what where most likely compromised websites at some point (i.e. personal blogs/etc. running Wordpress with questionable maintenance). I am not aware of any explicit criteria PaloAlto publishes for determining what is/is not a malware URL, most are just based on "Palo Alto and third party researchers". They do say that discovered malware URLs/sites must remain benign for a minimum of 90 days before being changed to low-risk category or removed from the database.

Thank you for your reply, Adrian. I appreciate your help!

  • 1 accepted solution
  • 2451 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!